[zorp] zorp & debian sid

Balazs Scheidler bazsi@balabit.hu
Mon, 25 Nov 2002 10:29:16 +0100 

Hi,

On Sat, Nov 23, 2002 at 12:14:27PM +0100, Alexandru Hartmann wrote:
> i just installed zorp on a debian sid box, did some configuration and tryied 
> to fire it up :
> - -------------------------
> # /etc/init.d/zorp start
> Warning: The number of file descriptors is 1024. You might want to increase 
> this.
> /usr/sbin/zorpctl: line 100: [: unlimited: integer expression expected
> Starting Zorp Firewall Suite: zorp
> - --------------------------
> 
> should i really increase that ? 

It depends on the number of parallel sessions you want to be able to serve
on your firewall...

Each session needs at least two fds (one for the client side, one for the
server side), but some of the proxies need even more.


> and here is the output of syslog:
> - ---------------------------
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Verbosity level: 3
> Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread): thread starting;
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): System dependant init; 
> sysdep_tproxy='1'
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Changing process 
> capabilities; caps='= cap_net_bind_service+ep cap_net_admin+p'
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Changing process 
> capabilities; caps='= cap_net_bind_service,cap_net_admin+ep'
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): bind() failed; 
> error='No such file or directory'
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (noname/nosession): Resetting process 
> capabilities; caps='= cap_net_bind_service,cap_net_admin+p'
> Nov 23 11:53:35 xxxxxxx zorp[4580]: (conntrack/thread): thread starting;
> Nov 23 11:53:35 xxxxxxx zorp[4575]: zorp version 2.0pre25 starting up
> Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread): Traceback (most recent call 
> last):
> Nov 23 11:53:35 xxxxxxx zorp[4575]: (zorp/nosession): Error opening policy 
> file /etc/zorp/policy.py
> Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread):   File 
> "/etc/zorp/policy.py", line 25, in ?
> Nov 23 11:53:35 xxxxxxx zorp[4575]: zorp version 2.0pre25 going down.
> Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread):     from Zorp.Chainer import 
> TransparentChainer, DirectedChainer, InbandChainer, FailoverChainer
> Nov 23 11:53:35 xxxxxxx zorp[4577]: (Log thread): ImportError: cannot import 
> name TransparentChainer
> - -----------------------------
> 
> it seems to me that i'm missing some modules. the file /etc/zorp/policy.py is 
> there :
> total 24
> - -rw-r--r--    1 root     root          652 Nov 23 11:31 instances.conf
> - -rw-r--r--    1 root     root          618 Nov 21 11:03 instances.conf.sample
> - -rw-r--r--    1 root     root         4947 Nov 23 11:53 policy.py
> - -rw-r--r--    1 root     root         4987 Nov 21 11:03 policy.py.sample
> could it be that i'm missing some modules ? the truth is that i don't have any 
> TransparentChainer.py nor DirectedChainer.py in /usr/share/zorp.
> does anybody have some hints for me ?

The policy.py.sample file is completely out of date. Here's an updated
policy.py.sample, this one actually starts on my box here.

############################################################################
##
## Copyright (c) 2000-2001 BalaBit IT Ltd, Budapest, Hungary
## All rights reserved.
##
## $Id: policy.py.sample,v 1.13 2001/02/12 12:09:53 bazsi Exp $
##
############################################################################

#
# sample firewall policy with transparent access to FTP, HTTP and CVS protocols.
# For FTP and HTTP we use application level gateways, for CVS we use a plug.
# (as long as CVS protocol proxy is not available)
#
# firewall internal network: 192.168.1.0/24
# firewall internal interface: 192.168.1.1
# firewall external interface: 193.225.235.6
#

from Zorp.Core import *
from Zorp.Plug import *
from Zorp.Http import *
from Zorp.Ftp import *

Zorp.firewall_name = 'zorp@site'

InetZone("site-net", "192.168.1.0/24", 
	 # list of allowed outbound services, '*' matches anything
	 outbound_services=["intra_http", "intra_ftp", "intra_cvs"],
		
	 # list of allowed inbound services, '*' matches anything
	 inbound_services=[]),
		
InetZone("local", "127.0.0.0/8",
         inbound_services=["*"],
         outbound_services=[]),
        
InetZone("internet", "0.0.0.0/0",
         inbound_services=["*"],
         outbound_services=[])

# 
# Here's a proxy event handler definition. We are deriving from a
# simple plug proxy, which is blindly copying in both directions.
#
# Instances of this class represent a "plug proxy". For a complete
# documentation for the features and available attributes of plug see the
# file /doc/modules/plug.txt
#

class IntraCvs(PlugProxy):

        def config(self):
        
     		""" The config event is sent in configuration state, some attributes
     		can only be set here. """
     		
        	# uncommenting this would make this plug one-way only (server->client)
                #self.copy_to_server = FALSE
                # same but client->server copying would only be performed
                #self.copy_to_client = FALSE

                self.packet_stats_interval = 100

	def startUp(self):
		""" startUp is called after configuration, but before any data
		is transferred. """
		
		# this is empty now
		pass
						
	def shutDown(self):
		""" called just before terminating the proxy. """
		pass
		
	def packetStats(self, client_bytes, client_pkt, server_bytes, server_pkt):
		""" plug is sending this event after self.packet_stats_interval number
		of packets had been transferred. """
		
		# report traffic information
		proxyLog(self, 'plug.debug', 3, "server->client: packet=%d, bytes=%d, bandwidth=%f" % (client_pkt, client_bytes, self.bandwidth_to_client))
		proxyLog(self, 'plug.debug', 3, "client->server: packet=%d, bytes=%d, bandwidth=%f" % (server_pkt, server_bytes, self.bandwidth_to_server))
		return 1
		

#
# Let's define a transparent http proxy, which rewrites the user_agent
# header to something different.
#
class IntraHttp(HttpProxy):

        def config(self):
        	HttpProxy.config(self)
                self.transparent_mode = TRUE
                self.request_headers["User-Agent"] = (HTTP_HDR_CHANGE_VALUE, "Lynx/2.8.3rel.1")
                self.request["GET"] = (HTTP_REQ_POLICY, self.filterURL)
                # self.parent_proxy = "proxy.site.net"
                # self.parent_proxy_port = 3128
                # self.timeout = 60000
                # self.max_keepalive_requests = 10
                
	def filterURL(self, method, url, version):
	        # return HTTP_REQ_REJECT here to reject this request
	        # change self.request_url to redirect to another url
	        # change connection_mode to HTTP_CONNECTION_CLOSE to force kept-alive connections to close
	        log("http.info", 3, "%s: GET: %s" % (self.session.session_id, url))

class IntraFtp(FtpProxy):
	def config(self):
		FtpProxy.config(self)

#
# name is passed to the Zorp instance with the --as command line option
# you can use it to start different services for different names
# In this simple policy we ignore it.
#
def init(name):
	
	# create services
	Service("intra_cvs", IntraCvs)
	Service("intra_http", IntraHttp)
	Service("intra_ftp", IntraFtp)
	
	# bind services to listeners
	# you'll need the packet filter redirect these connections, and
	# to protect transparent listeners, since if you connect to
	# a transparent listener directly, Zorp reconnects to itself.
	Listener(SockAddrInet("192.168.1.1", 50080), "intra_http")
	Listener(SockAddrInet("192.168.1.1", 50021), "intra_ftp")
	Listener(SockAddrInet("192.168.1.1", 52401), "intra_cvs")


-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1